Link: Free file host from freemail sender with NLU intent

 1name: "Link: Free file host from freemail sender with NLU intent"
 2description: "Detects free file host links sent by freemail senders with a short body and NLU indicators."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  
 8  // short body
 9  and length(body.plain.raw) < 500
10  
11  // NLU intent
12  and (
13    any(ml.nlu_classifier(body.plain.raw).intents, .name != "benign")
14    and length(ml.nlu_classifier(body.plain.raw).intents) > 0
15  )
16  
17  // free file host link
18  and any(body.links,
19          .href_url.domain.domain in $free_file_hosts
20          or .href_url.domain.root_domain in $free_file_hosts
21  )
22  
23  // freemail sender
24  and sender.email.domain.root_domain in $free_email_providers
25  and (
26    not profile.by_sender().any_false_positives
27    and not profile.by_sender().solicited
28  )  
29
30tags:
31  - "Attack surface reduction"
32attack_types:
33  - "Credential Phishing"
34tactics_and_techniques:
35  - "Free email provider"
36  - "Free file host"
37  - "Social engineering"
38detection_methods:
39  - "Content analysis"
40  - "Natural Language Understanding"
41  - "Sender analysis"
42  - "URL analysis"
43id: "569817fe-96b5-5c1d-96dc-30cd1cb9fd16"